hlxsites · jenjoe22 · Dec 13, 2024 · Dec 12, 2024 · Dec 13, 2024
diff --git a/...ns/search-and-investigate/permissions-queries/permissions-query-attributes.adoc b/...ns/search-and-investigate/permissions-queries/permissions-query-attributes.adoc
@@ -28,6 +28,20 @@ Use the following to find cross-account connection:
 config from iam where source.cloud.account != dest.cloud.account
 ----
 
+* *source.cloud.account.isvendor*
++
+This query retrieves all permissions granted to known vendors in the environment. 
++
+----
+config from iam where source.cloud.account.isvendor = true
+----
++
+The following sample query retrieves all vendor accounts that do not start with Red.
++
+----
+config from iam where source.cloud.account DOES NOT START WITH 'Red' and source.cloud.account.isvendor = true 
+----
+
 * *source.cloud.accountgroup*
 +
 Narrows down the permissions to the cloud accounts in your cloud account group. The following example list permissions of all EC2 instances in any of your AWS accounts:
@@ -71,14 +85,6 @@ Lists the effective permissions for a cloud resource with a specific tag.
 config from iam where source.cloud.resource.tag ( 'string' ) exists
 ----
 
-* *grantedby.cloud.condition*
-+
-Queries permissions where the policy statement contain and or doesn't contain conditions.
-+
-----
-config from iam where grantedby.cloud.policy.condition ('aws:sourceIP', 'IpAddress') exists
-----
-
 * *source.cloud.service.name*
 +
 Queries permissions of a specific cloud service such as: IAM, S3, EC2, `Microsoft.Compute`, or `Microsoft.Storage`.
@@ -244,6 +250,14 @@ Queries all S3 buckets that are publicly accessible. All GCP public resources wi
 config from iam where source.public = true AND dest.cloud.service.name = 'S3' AND dest.cloud.resource.type = 'bucket'
 ----
 
+* *grantedby.cloud.condition*
++
+Queries permissions where the policy statement contain and or doesn't contain conditions.
++
+----
+config from iam where grantedby.cloud.policy.condition ('aws:sourceIP', 'IpAddress') exists
+----
+
 * *grantedby.cloud.type*
 +
 Narrows down your search option to specific clouds. The following example lists effective permissions where the granter such as group, role, or policy is in your AWS cloud accounts:
@@ -266,6 +280,10 @@ Queries permissions that have been granted by a specific policy by its id, such
 config from iam where grantedby.cloud.policy.id = 'arn:aws:iam::aws:policy/AdministratorAccess'
 ----
 
+* *grantedby.cloud.policy.isExcessive*
+
+Identifies excessive access in IAM policies (AWS IAM Policies/Azure Roles/GCP Roles) when including “*” in the action or scope sections.
+
 * *grantedby.cloud.policy.name*
 +
 Queries permissions that have been granted by a specific policy such as AWS Managed Policy, AWS Inline Policy, or GCP role name. The following example lists all effective permissions that have been granted by the AWS Managed Policy `AdministratorAccess`: 
@@ -342,18 +360,18 @@ Queries permissions granted by a specific entity, such as AWS IAM group or role,
 config from iam where grantedby.cloud.entity.tag ( 'Severity' ) = 'High'
 ----
 
-* *grantedby.level.id*:
+* *grantedby.level.id*
 Identifies permissions granted by specific level ID. For example:
 
 ** Azure: Groups with access to Azure management group/Subscriptions/Resources.
 ** GCP: Users with access to GCP organization/Folder/Project/Service.
 
-* *grantedby.level.name*:
+* *grantedby.level.name*
 Identifies permissions granted by specific level name. For example:
 ** Azure: Groups with access to Azure management group/Subscriptions/Resources.
 ** GCP: Users with access to GCP organization/Folder/Project/Service.
 
-* *grantedby.level.type*:
+* *grantedby.level.type*
 Queries permissions granted to a specific level type. For example:
 
 ** Azure: Groups with access to Azure management group/Subscriptions/Resources.